West Wind Internet and Client Tools
wwHttp - basic auth problem
Gravatar is a globally recognized avatar based on your email address. wwHttp - basic auth problem
  Ondrej Vojtechovský
  All
  Apr 21, 2022 @ 01:29am

Hi,

I am trying to make API service call using wwHttp. API server is using basic http auth (user + password). But server is still returning {"code":403,"exception":"Wrong auth credentials."}

If I try to make call using Postman - select "Basic auth" and fill same username and password - everything works just fine.

My foxpro code:

Do wwhttp

loHttp = CREATEOBJECT("wwHttp")
loHttp.cContentType="application/json"
loHttp.cusername = "secret_username"
loHttp.cpassword = "secret_pwd"

lcResult = loHttp.post("https://www.123kuryr.cz/atol-api/order/ticket", m.lcJsonData)

Am I missing something? Can I get source code of http call to compare it with source code from Postman for example?

Thank you for any help.


EDIT: If i try to manually add auth token generated from username+pwd by Postman, it works.

loHttp.AddHeader("Authorization","Basic emFrYXpuaWtAd...secret...")
Gravatar is a globally recognized avatar based on your email address. re: wwHttp - basic auth problem
  Rick Strahl
  Ondrej Vojtechovský
  Apr 21, 2022 @ 05:06pm

That's most likely because the server is not challenging requests with a 401 first I suspect. WinInet doesn't pre-authenticate because it doesn't know what protocol you want to use as it supports many so the server has to provide the supported auth mechanisms first.

So if you want to send it immediately you have to manually send it.

I added a method to wwHttp that provides this immediate header in wwHttp.prg:

************************************************************************
*  AddBasicAuthenticationHeader
****************************************
***  Function: Adds an Authorization header with Basic Auth
***            username and password encoding
***    Assume: Username and password have to have values
***      Pass: lcUsername - user name to log in
***            lcPassword - password to log in
***    Return: nothing
************************************************************************
FUNCTION AddBasicAuthenticationHeader(lcUsername, lcPassword)
LOCAL lcKey

IF EMPTY(lcUsername) OR EMPTY(lcPassword)
   RETURN
ENDIF

lcKey = STRCONV(TRIM(lcUserName) + ":" + TRIM(lcPassword),13)
THIS.AddHeader("Authorization","Basic " + lcKey)

ENDFUNC
*   AddBasicAuthenticationHeader
Gravatar is a globally recognized avatar based on your email address. re: wwHttp - basic auth problem
  Ondrej Vojtechovský
  Rick Strahl
  Apr 22, 2022 @ 12:26am

Thank you very much ... for explanation as well as for code.

I didn't realize that these credentials are just converted to base64.

Gravatar is a globally recognized avatar based on your email address. re: wwHttp - basic auth problem
  Rick Strahl
  Ondrej Vojtechovský
  Apr 22, 2022 @ 01:29pm

Yeah, Basic Auth is not secure and not meant to be. But this is also why most services these days don't use Basic Auth but some sort of renewable authentication token (Beaer Authentication).

+++ Rick ---

© 1996-2022